Applies to version 2019.1.4.x; Author: Michał Bednarz
When implementing a system based on AAD authentication it might be necessary to create user management in O365 from the WEBCON BPS level. WEBCON BPS provides dedicated actions for local AD. You can use the standard actions available in WEBCON BPS (REST invoke action) and REST Service Microsoft Graph.
Register a new application in the AAD management console. It is done in a similar manner to registering an application to synchronize BPS user list.
The difference is in the API Permissions window, a new application should be granted following privileges:
Methods which we can use in order to manage user’s object in AAD are described here: https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-beta. User is created by using: https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-beta&tabs=http
It is a good idea to create a User ID form field – it will store user’s ID from AAD, ID will be required for a further management over the created user.
Data required for authentication is downloaded from the application configuration with AAD analogously as with the application to synchronize BPS users list.
In the first tab select a previously configured connection:
In the next tab, configure REST suffix and select a HTTP method, if creating a new user set it to POST:
Next step is transferring the user object in JSON format, form field list of the user workflow is available in Graph documentation.
If you want to transfer response data to the BPS instance a Response tab configuration is also required. When invoking Graph, value loading will fail if the JSON tab has parameters (variables). To bypass that problem fill in necessary data on JSON tab. Do it once during the configuration. Important: Loading configuration will cause invoking the method and will create user. In this specific case we are interested in the created object’s ID:
For groups use this object: https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-beta and following method https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-beta&tabs=http
Autentication and Request data tab configuration is analogous to creating a user.
In JSON tab choose form fields for the AAD group:
In the Response tab load data in an analogous way as when creating a user, save new object ID in a specific form field:
Similarly as in the previous paragraph, we will use a Group object, and more specifically, we will add a user to the group https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-beta&tabs=http
Authentication tab configuration is analogous as in the previous actions.
In Request data tab’s REST suffix field point to the AAD group’s ID where the modifications are taking place. HTTP method is still POST:
In JSON tab pass the object of the user which we want to add to the group:
When modifying group content Graph returns HTTP 204 status when it succeeded. There is no need to modify Response tab (response body is empty).
When implementing advanced scenarios, AAD’s objects’ ID can be downloaded from CacheOrganizationStructure table. But only if the AAD is the synchronization source of the BPS user list.
With these examples we presented only a handful of possibilities from many available by Microsoft Graph.